We have examined how GrimAgent behaves throughout its execution, when and what it does. We will now analyze the various opportunities to detect the malware. We can use the way in which it executes these actions to monitor the behavior in the different defense mechanisms
or match them using Sigma, Yara or Suricata rules. Detection opportunity 1: Persistence
On the first run, the malware copies itself to another directory, runs while establishing persistence on itself, and deletes the old file. A common path the malware uses is C:/Users/Public
. GrimAgent carries out specific calls and they can be monitored to identify related behaviors.
Check the IOC section for the full information about the commands used on the malware persistence. Detection opportunity 2: Mutex (old malware version)
One of GrimAgent's most characteristic factors is using the last 64 bytes of the binary to compute the name of the mutex. The characteristic can be used to create a behavior rule and therefore predict what mutex name it will create in the system.
All we have to do is to recreate the algorithm used in your different solutions by taking the last 64 bytes of the file and compute the possible mutex name. You can spot the algorithm used by the malware in the Mutex section Detection opportunity 3: Network
The first domain to contact is "api.myip.com
" in order to obtain the country code and client IP (http://ip-api.com/csv/?fields=query,countryCode
) and then make the request to the C2 to obtain the AES key. Once finished, it will make periodic requests to the C2 infrastructure to obtain the following commands and/or to get next stage payloads. We can take advantage of the usage of the path "/gate.php
" in conjunction with specific fields such as the referer (google.com, youtube.com, etc.) when contacting the C2.
Link to Suricata rule: https://github.com/apriegob/GrimAgent/blob/main/Ru... Detection opportunity 4: Payload drop
While executing the malware commands related to executing shellcode and DLLs, it uses a binary embedded in the initial malware. We can create detection rules for this binary and alert our defense teams if a match is found.
The following Yara rule was created to detect shellcode and DLL launchers (32b/64b) embedded in GrimAgent.
Link to Yara rule: https://github.com/apriegob/GrimAgent/blob/main/Ru... Detection opportunity 5: Payload execution
As we have shown throughout the article, to execute payloads GrimAgent uses both the ShellExecute call and indirect execution through scheduled tasks. Given that it always uses the same syntax on schtasks, we can try to match these actions. As it is suspicious behavior to create a scheduled task and try to execute it nearly at the same time as its creation, try to execute it with maximum privileges and delete it. Check the IOC section for the full information about the commands used on the payload execution.